DESCENT ON ELLIPTIC CURVES 



MICHAEL STOLL 

Abstract. Let E be an elliptic curve over Q (or, more generally, a number 
field). Then on the one hand, we have the finitely generated abelian group 
E{Q), on the other hand, there is the Shafarevich-Tate group III(Q, i?). De- 
scent is a general method of getting information on both of these objects — 
ideally complete information on the MordcU-Wcil group E{Q), and usually par- 
tial information on ni(Q, E). 

What descent does is to compute (for a given n > 1) the n-Selmer group 
Se\^^\Q,E); it sits in an exact sequence 

— > E{Q)/nE{Q) — > Se\^''\Q,E) — > m{Q,E)[n] — > 

and thus contains combined information on E{Q) and ni(Q, S). 

The main problem I want to discuss in this "short course" is how to actu- 
ally do this explicitly, with some emphasis on obtaining representations of the 
elements of the Selmer group as explicit covering spaces of E. These explicit 
representations are useful in two respects — they allow a search for rational 
points (if successful, this proves that the element is in the image of the left 
hand map above), and they provide the starting point for performing "higher" 
descents (e.g., extending ap-descent computation to ap^-descent computation). 

Prerequisites: Basic knowledge of elliptic curves (e.g., Silverman's book [Silj). 
some Galois cohomology and algebraic number theory (e.g., Cassels-Frohlich [CF] ). 



Date: November 22, 2006. 
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The results described in these notes (if not "classical", i.e., to be found in, e.g., 
Silverman's book [Sil]) were obtained in collaboration with John Cremona, Tom 
Fisher, Cathy O'Neil, Ed Schaefer and Denis Simon. See the papers [ScSttlCFOSSlt 
ICF0SS21 ICF0SS"3] for a more detailed account. 

1. The Selmer Group 

In the following, K will be a number field, and E will be an elliptic curve defined 
over K. E is an algebraic group over and so its set of rational points, E{K), 
forms a group, the so-called Mordell-Weil group. By the Mordell-Weil theorem, it 
is a finitely generated abelian group, and one of the big questions is how to deter- 
mine it (in the sense of, say, giving generators as points in E{K) and relations). 
Descent is the main tool used for that, both in theory and in practice. Doing an 
n-descent on E means to compute the n-Selmer group Se\'-"'\K,E), which we will 
introduce in this section. 

Note that saying that E{K) is a finitely generated abelian group amounts to 
asserting the existence of an exact sequence 

— ^ E{K)tors E{K) ^ r ^ Q 

with r > an integer and E{K)tors a finite abelian group; it consists of all elements 
of E[K) of finite order. Less canonical, but sometimes more convenient, we also 
have 

E{K) = E{K\,,,®U- . 

For any concrete curve E, it is fairly straightforward to find E{K)to^si and we 
will not be concerned with how to do that in these lectures. The hard part is to 
determine the rank r. This is where descent helps. 

1.1. Definition and first properties. 

Let n > 1 be an integer. The usual definition of the n-Selmer group makes use 
of Galois cohomology. Consider the short exact sequences of Gk = Gal(^/i^')- 
modules 

— > ^M(^) — ^ E{K) E{K) — ^ 
(which is usually just written 

— > E[n] — > E ^ E — > 0). 
Then we have the long exact sequence of cohomology groups 

— > E[n]{K) — > E{K) ^ E{K) ^ H\K, E[n]) — > H\K, E) H\K, E) . 
We deduce from it another short exact sequence: 

— > E{K)/nE{K) ^ H\K,E[n]) — > H\K,E)[n] — > 
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It turns out that knowing E[K) is essentially equivalent to knowing its free abelian 
rank r = rank E{K). (Once we know r, we can look for points until we have found 
r independent ones. Then we only need to find the JC-rational torsion points and 
"saturate" the subgroup generated by the independent points. All of this can be 
done effectively.) Now the idea is to use the above exact sequence to at least get 
an upper bound on r: r can be read off from the size of the group E{K)/nE{K) on 
the left, and so any bound on that group will provide us with a bound on r. Prom 
the exact sequence, we see that E{K)/nE{K) sits inside H^{K, E[n]); however 
this group is infinite, and so it does not give a bound. 

But we can use some additional information. We know (trivially) that any ir- 
rational point on E is also a K^-raiionel point, for all places v of K. Now it is 
possible to compute the image of the local map 

E{K,)/nE{K,) ^ H\K,,E[n]) 

for any given v explicitly; and for all but a finite explicitly determinable set of 
places S, the image just consists of the "unramified part" of H^{K^,E[n]). This 
means that in some sense, we can compute all the necessary "local" conditions and 
use this information in bounding the "global" group E{K)/nE{K). Formally, we 
define the n-Selmer group of E, Sel^''\K, E), to be the sub group of H^{K, E[n]) of 
elements that under all restriction maps res^ are in the image of Sy in the following 
diagram. 

> E{K)/nE{K) > H\K, E[n]) > H\K, E)[n] > 

n„ res„ 

, n E{K,)/nE{K,) ^ J] H\K,, E[n]) , J] H\K,, E)[n] , q 

V V V 

Equivalently, Sel^"^(X, E) is the kernel of the map a. The image of Sel^"^(X, E) 
in H^[K,E)[n] is the kernel of the rightmost vertical map in the diagram. More 
generally, one defines the Shafarevich-Tate group of E, UI{K, E) to be 

m(X, E) = ker(//^(X, E) — >\[ H\Ky, E)) . 

V 

Then we get another short exact sequence: 

— > E{K)/nE{K) Sel^''\K,E) — > m{K,E)[n] — > 0. 

This time, one can (and we will) prove that the middle group is finite. And at 
least in principle, it is computable. In this way, we can compute the product 
{i^E{K)/nE{K)){i^UI{K, E)[n\), and in particular, we obtain a bound on the 
rank r. The obstruction against this bound being sharp lies in U1{K,E), which 
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is therefore also an interesting object. Of course, its size (conjectured, but not 
generally proved to be finite) also shows up in the famous Birch and Swinnerton- 
Dyer conjecture, and there are other reasons to study U1{K, E) for its own sake. 
We need some more notions and notation. The unramified part of H^^K^^j, E[n]) 
is the kernel of the restriction map H^^K^, E[n]) — > H^{K!^^^ , E[n]). For any 
finite set of places S oi K containing the infinite places, we define H^{K, E[n]; S) 
to be the subgroup of H^{K, E[n\) of elements that map into the unramified part 
of H\K^, E[n]) for all places v ^ S. 

The finiteness of the Selmer group then follows from the two observations that 
Sel(")(K, E) C H\K, E[n]- S) for a suitable finite set S, and that H\K, E[n]-S) 
is finite for all finite sets S of places of K. 

The latter is a standard fact; in the end it reduces to the two basic finiteness results 
of algebraic number theory: finiteness of the class group and finite generation of 
the unit group. 

Theorem 1.1. If S is a finite set of places of K containing the infinite places, 
then H^{K, E[n\; S) is finite. 

Proof: There is a finite extension L — K{E[n]) of K (the n-division field 
of E) such that E[n\ becomes a trivial L-Galois module. We have the infiation- 
restriction exact sequence 

— > H\L/K,E[n](L)) — > H\K,E[n]) — > H\L,E[n]), 

and the group on the left is finite. Taking into account the ramification conditions, 
we see that H^{K, E[n]; S) maps into H^{L, E[n]; Sl) with finite kernel, where Sl 
is the set of places of L above some place of K in S. Therefore it suffices to show 
that H^{L, E[n]; Sl) is finite. Now 

H\L, E[n]) = H\L, {Z/nZf ) = Hom(G'L, (Z/nZ)^) , 

and the ramification condition means that the fixed field of the kernel of a homo- 
morphism coming from H^{L, E[n]; Sl) is unramified outside Sl- On the other 
hand, this fixed field is an abelian extension of exponent dividing n; it is therefore 
contained in the maximal abelian extension M of exponent n that is unramified 
outside Sl- 

By Kummer theory (L contains the nth roots of unity because of the n-Wcil 
pairing), M — L{\/7j) for some subgroup U C L^/(L^)". Enlarging Sl by 
including the primes dividing n, the ramification condition translates into 

U = L{Sl, n) = {a e : n I v{a) for all v i Sl\I{VT 

(the "n-Selmer group of Ol,Sl)- ^PPlyi^S the Snake Lemma to the diagram 
below then provides us with the exact sequence 
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Since the Si-unit group O^^g^ is finitely generated and the S'L-class group C\sj^{L) 
is finite, U — L(SL,n) is finite, and hence so is the extension M. We see that all 
the homomorphisms have to factor through the finite group Gal(M/L), whence 
H\L,E[n];SL) is finite. 



Lx > L^^ ^ LV(LX)" > 

-4^ ^ ^ 

^ Isj. > Isj. > hjnls^ > 

-->Cl5,(L)^Cl5,(L) 


□ 

The next result implies that '^e\^^\K,E) is finite. 

Theorem 1.2. ^e\^"'\K,E) C H^{K, E[n]] S) where S is any finite set of places 
of K containing the infinite places, the places dividing n and the finite places v 
such that gcd{cv{E),n) > 1, where Cy{E) is the Tam,agawa number of E at v. 

Proof: We have to show that for ^ G Sel'-'^^K, E) C H^K, E[n]) and for v ^S, 
^ maps to zero in [K^^^"^ ^ E[n\) . Consider the exact sequences 

EiK^f E{KD ^.{K) 
EiK^'^y S{Kf 

Here S is the Neron model of E over Ok^, £ikv)^ is the connected component of 
the identity on the special fiber of E{K"^^)^ is the subgroup of points mapping 
into £{kv)'^ (the points of good reduction on a minimal Weierstrass model at f), 
and E{K'!^^^Y is the kernel of reduction at v. Applying the Snake Lemma to 
multiplication-by-n on these sequences gives exact sequences of cokernels 

EiK^^^'f/nEiK^f E{Kr)/nE{Kr'') ^,{h)/n^M 

and 

E{K^^Y/nE{Kl^Y E{K:^''y/nE{K^^'f £{hf/nE{Kf. 
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We claim that the image of E^K^) in E{K'^^^) is divisible by n. Let P G E{Ky). 
Then in the first sequence, the image of P in the group furthest on the right is 
in ^y{ky) / {^y{ky) n n^y{k^)), and this group is trivial, since c^{E) = ^^^{ky) is 
prime to n. Hence the image of P comes from In the second 

sequence, the group on the right is trivial, because the A;^-points of an algebraic 
group over k^ form a divisible group. The first group is also trivial, because it 
is a Zp-module (with p the residue characteristic of v), and n is invertible in 
this ring. Hence E{K'^^'^)^ /nE{K!;^^^)^ = 0, and the image of P must vanish 
in E{K^^^)/nE{K^'^'^). Now consider the following diagram. 

E{K,)/nE{K,) > H\K,,E[n]) 

£;(A7"-)/^^(^T"') H\K^''\ E[n]) 

We have seen that the left vertical arrow is the zero map, therefore the image of 
5y also maps trivially under the right vertical map. This exactly means that the 
elements of the Selmer group (mapping into the image of E{Ky) in H^{Ky, E[n])) 
are unramified at v. □ 
Remark: The proof shows that in general, the image of E{Ky) in H^{K^^^ ^ E[n\) 
is isomorphic to $^(/c^)/($^(A;^) nn$^(A;^)) for all finite places v that do not di- 
vide n. In particular, the order of the image divides the Tamagawa number Cy{E). 

1.2. Interpretation of Selmer group elements. 

The definition of the Selmer group as a subgroup of H^{K, E[n]) is rather abstract, 
its elements being given by classes of 1-cocycles with values in E[n]. However, it 
is possible to give the Selmer group elements much more concrete interpretations. 
This is based on the following general fact. 

Proposition 1.3. Let X be some sort of algebraic or geometric object, defined 
over K. Then the set o/ twists of X, i.e., objects Y defined over K such that X 
andY are isomorphic over K , up to K -isomorphism, is parametrized hy {K , Kui i^[X)) . 
(When the automorphism group of X is abelian, this is an abelian group; other- 
wise, it is a pointed set with the class of X as its distinguished element.) 

Proof: This is quite standard (at least in many concrete manifestations). The 
map from the twists to H^{K, Aut^iX)) is obtained as follows. Let F be a 
twist of X. Then there is an isomorphism : y — > X, defined over K. Then 
^o- = (t>'^(t>~^ defines a 1-cocycle with values in Aut^(X), and postcomposing by 
an automorphism of X changes ^ into a cohomologous cocycle. To get the map 
in the reverse direction, one takes the K- "points" of X and "twists" the action of 
Gk by ^ by decreeing that the action of cr on y (which has the same underlying 
set of X- "points" as X) is given by the action of cr on X, followed by ^o-i. □ 
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Since Sel^"'' {K, E) C H^(K, E[n]), this means that we can obtain interpretations 
of Selmer group elements via interpretations of elements of H^{K, E[n\) as twists. 
So we have to look for "objects" whose automorphism group is E[n\. 

Principal homogeneous spaces. Let us first look at a somewhat simpler situ- 
ation related to H^(K,E). Consider "objects" of the form C- - ^E, where the 
isomorphism is defined over K. Two such diagrams are isomorphic if there is an 
isomorphism C C and a point P e E such that the diagram 

^E 

I 

I • +P 
^E 

commutes. Then the automorphisms of the trivial object E E are just the 

translations, so the automorphism group is E{K). The objects arc called principal 
homogeneous spaces for and they are classified (up to i^-isomorphisms) by the 
Weil-Chdtelet group WC{K, E) = H\K, E). 

Given a curve C as above, we can change the isomorphism to E by any translation 
without changing the isomorphism class of C as a principal homogeneous space. 
So given C, the only ambiguity in endowing it with a structure as a principal 
homogeneous space comes from the automorphism group of E as an elliptic curve. 
Generically, this is just {±1}, and so there will be at most two structures as a 
principal homogeneous space for E on C. (The two will coincide when either one 
has order dividing 2 in H^{K, E).) 

Note also that a principal homogeneous space has an algebraic group action of E 
on it. If : C — > E is an isomorphism (over K), then 

C X £; 9 (P, Q) ^ P + Q := (t)-\(t>{P) + Q)eC 

is defined over K, since it is unchanged when (p is post-composed with a translation 
on E. Also, there is a well-defined (over K) "difference morphism" 

C xC 3 {P,P')^ P - P' := (/)(P) - (j){P') e E 

such that, for example, P+{P' — P) = P' . Conversely, given morphisms CxE — > 
C and C xC — > E satisfying the usual properties, C becomes a principal homo- 
geneous space (in the sense above) by picking any point Pq G C and considering 
the isomorphism CbP^P — Pq^E. So we could have defined principal 
homogeneous spaces also through actions of E on curves C. (In fact, this is what 
is usually done.) 



C-- 
c'-- 
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If C has a i^T-rational point P, then there is a i^-defined isomorphism 
that maps P to O. We obtain a diagram 



C 



E 




showing that C is trivial as a principal homogeneous space (i.e., X-isomorphic to 

E ^ E). 

In this context, the elements of III(i^r, E) are represented by principal homogeneous 
spaces with X^-points for every place or with points "everywhere locally" , up to 
isomorphism over K. Nontrivial elements of III(i^, E) are those that have points 
everywhere locally, but no global points, i.e., those that "fail the Hasse Principle" . 

First interpretation: n-coverings. Here, our object X is the multiplication- 
by-n map E E. The twists are covering maps C E such that there is an 
isomorphism C — > E over K such that the following diagram commutes. 

~^E 



■^E 



C 
I 
I 

E- 

Such a C E is called an n- covering of E. An isomorphism between two n- 

coverings C E and C E is given by an isomorphim : C — > C such 
that the following diagram commutes. 



C 



^E 



^E 



C 

The automorphisms of E — ^ E are then given by the translations by n-torsion 
points (acting on the left E), so that we indeed obtain E[n] as the automorphism 
group. 

In this interpretation, the map E[K)/nE[K) — > H^[K,E[n]) comes about as 
follows. To a point P e E{K), we associate the n-covering E E such that 
7r((5) = nQ + P. It is easy to check that the isomorphism class of the covering 
only depends on P mod nE{K). On the other hand, each n-covering C E 
such that C{K) 7^ is isomorphic to one of this form: there is an isomorphism 
between C and E defined over K (mapping a i^'-rational point on C to O E E); 

under the composed map E C — ^ E^ the origin O maps to some P G E{K), 
and then the map must he Q ^ nQ + P. Tracing through the definition of the 
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connecting map 6 shows that the map defined here coincides with 6 under our 
interpretation. 

For the Selmer group elements, this means that they correspond to the n-coverings 
that have points everywhere locally. 

Note that the curve C in an n-covering C — ^ E carries the structure of a principal 
homogeneous space for E: any ^-isomorphism C — > E in the definition above 
provides such a structure, and since these isomorphisms are all related by trans- 
lations (by n-torsion points) , the isomorphism class of the principal homogeneous 
space structure is well-defined. This gives us the map H^{K, E[n]) — > H^[K, E) 
in the coverings interpretation. 

Second interpretation: Maps to P"~^. Here is another interpretation. On 
we can consider the map to P"~i that is given by the complete linear system 
associated to n ■ O. Other objects are diagrams 

I 

I s 

■4- 
>pn-l 

with the dashed isomorphisms defined over K. Twists of P"^i like S are called 
Severi-Brauer varieties; they arc classified (according to the general principle) by 
H^{K,PGLn). Since PGL„ is non-abelian, this is just a pointed set; however, 
applying Galois cohomology to the exact sequence 

^ ^ GL„ ^ PGL„ 0, 

one obtains an injection H^(K,PGLn) — H'^{K,Gm) = Bi{K) identifying 
H^{K, PGL„) with the n-torsion Br(ir)[n] in the Brauer group of K. 

An isomorphism between two such diagrams is given by a pair of isomorphisms 
C — > C and S — > S' such that the diagram 

C 

\ / 
\ / 
\ / 

E > P"-i 

I I 
I ■ +p I 

E >■ P"-i 

^ K 

/ N, 
/ \ 
/ \ ^ ^ 

C ^S' 

commutes, with some choice oi P E E and some automorphism of P'^~^ over K. 
Automorphisms of E — > P"~^ are therefore given by translations on E that fix 
the linear system |n • 0|. Translation by P does this if and only ii n ■ P e \n- 0\, 



C 



E 
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i.e., iff P e E[n]. So we obtain again tlie correct automorphism group, and we 
see that H^{K, E[n\) also classifies diagrams as above, up to isomorphism over K. 
The map to H^{K, E) comes through "forgetting" the right half of the diagram. 
In particular, we see that the curve C in both the coverings and the maps to 
pn-i interpretation of a given element in H^{K, E[n]) is the same (as a principal 
homogeneous space for E). So, also in our second interpretation, the elements of 
the Selmer group are those diagrams such that C has points everywhere locally. 
This implies that also the Scvcri-Brauer variety S has points everywhere locally. 
Now there is the very important local-global principle for the Brauer group: 

Br{K) Br(X,) ^^"^ Q/Z 

V 

is exact. In particular, an element of the Brauer group of K that is locally trivial 
is already (globally) trivial. This implies that S has a i^-rational point, and so 
S = P""-*^. Whence the following result. 

Proposition 1.4. The elements of Sel^"'\K , E) are in 1-to-l correspondence with 
K -isomorphism classes of diagrams 

I 

I ^ 
-I- 

such that C has points everywhere locally. 

Let us look at what this means for various small values of n. 

n = 2: On E, the map to given by |2 • 0| is just the x-ccordinate. It is a 2-to-l 
map ramified in four points (namely, £'[2]). Any twist C — > P^ will have 
the same geometric properties, which means that C can be realized by a 
model of the form 

— f{x) — ax'^ + bx^ + cx^ + dx + e . 

(This is an affine model; a somewhat better way is to consider 

= F{x, z)^ax^ + hx'^z + cx^z^ + dxz^ + ez'^ 

in a (1, 2, l)-weighted projective plane.) 
n — 3: The map E — )• P^ given by |3 • 0| is an embedding of degree 3, realizing 
as a plane cubic curve. Similarly, any element of the 3-Selmer group can 
be realized as a plane cubic curve, with an action of £^[3] on it through 
linear automorphisms. 

n — A: Here we obtain a degree-4 embedding into P^; its image is given as the 
intersection of two quadrics. 



C 

I 

^ I 
E 
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More generally, for n > 4, the image in P"^i is given as the intersection of 
n{n — 2>)/2 quadrics; for n > 5, this is no longer a complete intersection. For 
n — 5, there is a nice description by sub-Pfaffians of a 5 x 5 matrix of linear forms. 
For general elements of H^{K, E[n]), we obtain another forgetful map. If we forget 
the left hand side of the diagram, then we obtain a map 

Ob : H\K,E[n]) — > H\K, FGK) = BT{K)[n] , 

the "obstruction" against an embedding (or a map) into P"~^. 
Warning. This map is not a homomorphism! 

1.3. What the Selmer group can be used for. 

The most obvious use of the Selmer group is to provide an upper bound for the 
Mordell-Weil rank r: we have 

. #Sel(")(i^,ig) # Sel^'^) {K, E) 



4^{E{K\,JnE{K\,,.,)i^UI{K,E)[n] " i^{E{K\,JnE{K),,,,) ' 
To get this, it is sufficient to just compute the order of the Selmer group. 
Moreover, by computing the sizes of various Selmer groups (for coprime values 
of n), we can compare the bounds we get, and in some cases deduce lower bounds 
on the order of III(K, E). For example, if we get r < 3 from the 2-Selmer group 
and r < 1 from the 3- Selmer group, then we know that #III(ir, £')[2] > 4. 
On the other hand, in order to show that the rank bound we get is sharp, we need 
to prove that all elements of the Selmer group come from i^'-rational points on E. 
This is rather easy if we find sufliently many independent points on E. However, 
in many cases, some of the generators of E{K) can be rather large and will not be 
found by a systematic search. Here, it is useful to represent the elements of the 
Selmer group as n-coverings C. We then have a diagram 



degn 

c y p"-i 



degn^ 



E' 



deg2 



deg2n 



Pl 



with a rational map of degree 2n on the right hand side. 

For example, when n = 2, the map — > P^ on the right hand side is given by 
two quartic forms (the quartic showing up in the equation of the 2-covering C and 
its quartic covariant). 

From the general theory of heights, we expect the logarithmic height of a point 
on C, as given by its image in P"~^, to be smaller by a factor of about l/2n than 
that of the x-coordinate of its image on E. This will make these points much 
easier to find on C (in P"~^) than on E. If we find a X-rational point on C, we 
know that the corresponding element of the n-Selmer group is in the image of 5, 
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and we can improve the lower bound on the rank. Note that in practice, to really 

be fairly certain that the points on C are as small as expected, it is necessary to 

have a "small" model of C, i.e., given by equations with small coefficients. 

In case we do not find a iC-rational point on C, we can use the curve C as the 

basis for "higher descents" ; in this way we may be able to prove that C does not 

have any X-rational points, or find points on curves that cover C. 

The program for the following will therefore be to first show how one can compute 

the p-Selmer group for a prime number p (the most important case) . Then we will 

discuss how to obtain from this computation actual covering curves. But first, we 

will introduce another interpretation of the elements of H^{K, E[n]). 

Third interpretation: Theta groups. In the second interpretation, on the 
morphism E — > p"-i there is an action of E[n]; in particular, E[n] acts on P'-^'^ 
by automorphisms. Thus we obtain a homomorphism xe '■ E[n] — > PGL„. We 
can then define ©b by the following diagram. 







E[n] - 

XE 



->0 



y Gm >■ GLn y PGL„ ^ 

Proposition 1.5. In the above, for any 9,9' & Be, we have 

[9^9'] = 99'9-'9'-' = a{en{P{9),(3{9')) , 
where e„ : E[n] x E[n] — > /in ^ G^ is the n-Weil pairing. 

Proof: Let T, T' e E[n]. We have to show that for any two lifts 9, 9' e GL„ of 
Xe{T) and Xe{T'), we have 

[9,9']^er,{T,T')In 
(where /„ is the n x n identity matrix). 

For this, note that P"^~i can be identified with P(L(n ■ O)*). For every T G E[n], 
choose Jt G K{E)^ such that div(/T) = n ■ T — n ■ O. Then the action of T 
on P(L(n ■ O)*) is induced by 

L{n-0)3 f^{P^ fT{P)f{P - T)) e L{n ■ O) . 

Note that a choice of 9 lifting Xe{T) corresponds to a choice of /t. Now the action 
of the commutator [9, 9'] is given on L{n ■ O) by 

/r(P)/r'(P-T) 



-m) ■ 



fT{P-T')fT'{P 

The factor in front of f{P) is constant (where defined) and by a standard result 
equal to e„(T,T'). □ 
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The proof shows that 0^; can be represented as the set 

{(T, /r) : T e E[n], /t G div(/T) =n-T-n-0] 

with the group structure given by 

(T, /t)(T', /tO = (T + T', P ^ MP)MP - T)) ; 
also a(A) = (O, A) and /5(T, /r) = T. 

More generally, we define a i(/ieto grotti) of level n for £^ to be an exact sequence 
(of K-group schemes) 

— > Gm ^ e ^ E[n] — > 

such that for 9,9' & Q, we have again 

[9,9'] = a{e4m,PiO')). 

(Note that this implies that © is a central extension of E[n] by Gm-) An isomor- 
phism of two such diagrams is given by a G/i:-isomorphism (p : — > 0' making 
the following diagram commutative. 

— >■ Gm — y — y E[n] > 

<^ 

> Gm > 0' > E[n] > 

Working out what the automorphisms of 0^; are, we find that they are of the 
form (T, /t) i — > {T, '^{T) fT) for a homomorphism (/? : E[n] — > Gm. Such a if 
necessarily takes values in /x„, and by the non-degeneracy of the Weil parining e„, 
there is some T' e E[n\ such that (p{T) — en{T', T). We see that the automorphism 
group is again E[n\. Furthermore, we have the following result. 

Proposition 1.6. All theta groups of level n for E are isomorphic over K (i.e., 
as abstract group extensions) . 

Proof: Short proof: On the level of abstract groups, theta groups are classified 
by H'^{{7j/n'LY , K^). There is a canonical map 

//'((Z/nZ)2,X^) /\'Hom((Z/nZ)2,X^) 

induced by the commutator. Since is divisible by n, this map is an isomorphism 
by a result from group cohomology. Since theta groups are represented on the left 
as the elements that map to the Weil paring e„ in the right hand group, there is 
only one such extension, up to isomorphism. 

Sketch of long, but down-to-earth proof: choosing any set-theoretic section E[n] — 
mapping O to the neutral element, the underlying set of can be identified 
with X E[n\. The group structure is then given by a map 

/ : E[n] X E[n] — > K"" 
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such that 

(A,T)(A',T') = (AA7(T,T'),T + T'). 
Prom the group axioms, we find that / has to satisfy 

/(O, T) = /(T, O) = 1 , /(T, T')/(T + T', T") = f{T, T' + T")f{T\ T") . 

(I.e., / is a normalized 2-cocyclc.) Wc also have that 

/(r,r') = e„(r,T')/(r',r). 

If we have two theta groups 0i and G2, with multiplication given by /i and /2, 
then setting f(T,T') = /i(T, T')//2(T, T'), / satisfies the cocycle condition, and 
it is symmetric: f{T,T') = f{T',T). We now construct a map ip : E[n] — > . 
Set Lf lo) = 1. Pick a basis T,T' for E[n]. Set 

(^(T) = (/(T, T)/(T, 2T) . . . /(T, (n - 1)T)) 

(^(T') = (/(T', r')/(r', 2T') . . . /(T', (n - 1)7'))"'^" 

with any choice of the nth roots (here we need that \s divisible by n). Then 
we continue by defining 

^{mT) = /(T, T)/(r, 2r) . . . /(T, (m - 1)7) (/.(T)- 
<p{mT') = /(T', r')/(7^', 2T') . . . /(T', (m - 1)T') <p{TT 
ip{mT + m'T') = f{mT, m'T') ip{mT)ip{m'T') 

Now we have by an easy induction using the cocycle relation that 

fiaT bT) = ^("^ + fiaT' bT') = ^^"^^ + ^^'^ f(aT bT') = ^^"^ + ^^^^ 
^^""''^'^ V^(aT)v9(6T)'^^''' ^ ^(aT')v^(6T')^^ ' ' viaTMbT'Y 

Since we can express f{aT + 6T', cT + dT') in terms of values like the above, we 
get that 

for all P,Q e E[n\. Then 

e2 9(A,P)^((^(P)A,P)eei 

is an isomorphism. □ 
We deduce that H^{K,E[n]) parametrizes theta groups of level n for E, up to 
X-isomorphism. These theta groups are not geometric objects like our n-covering 
curves, but they are quite useful. 

If C — > f>n-i jj-^ Qyyj. second interpretation represents an element of Sel*^"-* (iiT, E), 
then we can easily find the corresponding theta group 6c;. Namely, E[n] acts by 
automorphisms on this diagram and thus gives us a homomorphism xc '■ E[n\ — > 
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PGL„. As before, we can then define Qc to be the pull-back of the image of xc 
under the canonical map GL„ — > PGL„: 











c 



->0 



xc 



->PGL, 



-^0 



For more general diagrams C — > S, GL„ and PGL„ have to be replaced by their 
twists corresponding to Ob(C S) = S; in this way, we obtain ©c as a subgroup 
of ^4^, where As is the central simple algebra corresponding to S. (See below.) 

2. Computation of the Selmer Group as an Abstract Group 

The interpretations given so far are not very well suited for actually computing 
the n-Sclmer group. (For n = 2, this is not quite true: John Cremonas mwrank 
program actually enumerates 2-coverings in order to find the 2-Selmer group.) So 
we will need some other representation of the Selmer group that is more algebraic 
in nature and yields itself more easily to computation. 

Before we go into this, let me remark that the various Selmer groups are related. 
From the diagram 







-> Elmn 







we can deduce an exact sequence 

E{K)[n] 
■mE{K)[m.n] 

■Se\^''\K,E) - 








Sel('")(i^, E) — > Se\^'^''\K, E) 
m{K, E)[n] 



0. 



mm{K, E)[mn] 

Here the map Sel("^) — . Sel^™") is induced by the inclusion E[m] ^ E[ mnl, and 
the map Sel*-™"-* — ^ Sel*-"-* is induced by multiplication by m E[mn] — > E[n]. 
In particular, the composition Sel*-"-* — > Sel*^™"^ — > Sel*-"^ (the first map coming 
from the diagram where the roles of m and n are exchanged) is multiplication 
by m on Sel^"^. Together with the exact sequence above, this imphes that 

Sel("»")(ir, E) ^ Sel('")(X, E) x ^S''\K, E) 

whenever m and n are coprime. 
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Therefore it is sufficient to compute Sel^^\K,E) when n = p-^ is a prime power. 
The first step in this is to consider the case n — p. The computation of Sel^^ ^ {K, E) 
(and for higher powers of p) then is most easily done by computing the fibers of 
the canonical map one by one. (This procedure is 

sometimes referred to as "second" or "higher descent".) 

Fourth interpretation: via etale algebras. 

The goal of the interpretation I will explain now is to ease computation of the 
Selmer group. So we will consider an algebraic realization of H^{K, E[n\) and not 
a geometric one. 

In what follows, one of the main characters of the play will be the etale algebra R 
of E[n\ . This is just the affine coordinate algebra of the 0-dimensional scheme E[n] . 
More concretely, we have 

i? = Map(^[n],ir)^^; 

these arc G/^-equi variant maps on E[n] with values in K. Note that the action 
of (7 e Gk is 

(r :r^/(r--'r). 

For example, any rational function on E defined over K and not having poles 
in E[n] will give an element of R. 

Since E[n] is an etale f^-scheme, R is an etale algebra: it is isomorphic to a 
product of (finite) field extensions of K, one for each G^-orbit on E[n]. If T is 
a point in one such orbit, then the corresponding field extension is K(T) (i.e., K 
with the coordinates of the n-torsion point T adjoined). For example, we always 
have a splitting R = K x Ri, where the K corresponds to the singleton orbit {O}, 
and Ri corresponds to E[n] \ {O}. 

We will also use R = R ®k K = Map(£^[n], ^). As an algebra, this is just 
^-E[n] ^ ^ ^j^g action of Gk is "twisted" by its action on E[n], permuting 
the factors. 

In this context, R^ is the multiplicative group of maps from E[v\ into , and 
R^ is the subgroup of Gx-equivariant such maps. For example, every T e E[n\ 
gives a map 

e(T) : E[n\ 3S^ e„(T, 5) G ^„ C 
and so we obtain an injective (because e„ is non-degenerate) homomorphism 

e : E[n] — > . 

The idea now is to extend this to (the beginning of) a resolution of E[n] as a K- 
Galois module, in order to get some more or less concrete realization oi H^{K, E[n]). 
In general, if Ra and Rb are the coordinate rings of two affine X-schemes A and B, 
then Ra ®k Rb the coordinate ring oi A x B. So R ®k R is the algebra of 
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Gii-equivariant maps from E[n] x E[n] into K, and R ®k R= {R ®k R) ®k K is 
the algebra of all such maps. 

Now observe that all e(T), for T E E[n], are not only maps, but homomorphisms 
E[n] — > . I.e., a = e(T) satisfies the relations «(Ti + T2) = a{Ti)a(T2). By 
the non-degeneracy of the Weil pairing, we also know that the e(T) are all the 
homomorphisms. This implies that, if we define 

d:R-3a^ ((Ti, T,) ^ ^||^) e ®^ 

then 

O^E[n] -^W" -^{R^jiRY 

will be exact. 

In order to use that to realize H^{K, E[n\), we need to know what the image 
of the map d is. One obvious property of all da is that they are symmetric: 
da{Ti,T2) = da{T2,Ti). But there are more conditions they satisfy. Let us define 

d : {mKRV 9 (iTi,T2,Ts) ^ ^''t\ ) ^ (^®^^®^^)' ■ 

V p{Ti,T2 + T3)p{T2,T3)J 

Then we have the following result. We define Sjmj^{R) to be the subalgebra of 
R (E)k R consisting of symmetric maps (and similarly Sym^(i?) for R and K). 

Proposition 2.1. The following is an exact sequence. 

— > E[n\ -^R"" ^ {Sjml{R)y {R^kR^kRY 

Proof: We only have to show exactness at (Sym^(^))^. It is immediately 
checked that dda = 1 for a e On the other hand, if p G (Sym|.(^))^ such 
that dp — 1, then as a map E[n]'^ — )• X^, p is a symmetric 2-cocycle, and we have 
seen in our discussion of theta groups that each such 2-cocycle is a coboundary, 
which translates into p — da for some a e R^ . □ 

CoroUciry 2.2. There is an isomorphism 

ker(d I Sym^(i?)x) ^ . 
H = ^ ' ^^/^ ' ^ H\K, E[n]) . 

It is defined as follows. Take p e Sym^(i?)^ such that dp — 1. Then there is 
some 7 G R^ such that d^ — p. Now the Galois 1-cocycle a 1— > 7°^/7 takes values 

in the kernel of d, so we can write 7'^/7 = e{T„), where a ^ T^ is a 1-cocycle 
with values in E[n] representing the image of p in H^{K.iE[n]). 

Proof: Prom the proposition, we get the short exact sequence 

E[n] -^W" ^ ker(9 | (Sym|(^))^) . 
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Apply the long exact cohomology sequence to get 

(The latter equality is an easy generalization of Hilbert's Theorem 90.) The de- 
scription of the isomorphism follows the definition of the connecting map 6 above. 

□ 

Therefore, we can represent {K, E[n]) as a subquotient of Sym|^(_R) ^ / (Sym^(i?) ' 
Putting in the condition that the elements are unramified outside the set S of 
places of K described in Thm. 11.21 we see that Sel("^(K,E) is contained m a 
subquotient of the "n-Selmer group" of the 5- integers of Sym|-(i?), 

a 2,■D^,c \ {P e Sym^(i?)^ : Sym^(i?)(^) unramified outside ^} 
Sym,(i?)(5,n) = ^M^^ ' 

This is a finite group that is effectively computable. However, this computation 
requires the knowledge of the class and unit groups of the number fields occurring 
as factors of Sym^(i?). If n = p is an odd prime, we have a splitting 

Sym^(i?) ^ K xWhjX L, 

i 

where K corresponds to {(0,0)}, Lj corresponds to the set {(T, jT) : O ^ 
T e (where j runs through a set of representatives of modulo identifying 

inverses) , and L corresponds to the set of unordered bases of E [p\ . The cardinality 
of this set, and therefore the degree of L, is {p— l)^p(p+ l)/2. Generically, L is a 
number field of that relative degree over and so even for p = 3, this is outside 
the range of practical applicability of current methods in computational algebraic 
number theory. So we will need a better, smaller representation. But let us first 
see how one could use our current representation at least in principle to actually 
compute the Selmer group. 

For this, note that the result of Thm. [L2] can be extended to show that the Selmer 
group can be obtained by a finite computation: 

Sel('^)(ir,E) = {ie H\K,E[n]; S) -.^v e S : res^(0 G 6^{E{K^)/nE{K^))} 

(For this, one needs to show that the image of E{Ky)/nE{Ky) in H^{Ky, E[n\) is 
exactly the unramified part, for all v ^ S.) In order to turn this into an algorithm, 
we first need to find the image Hs of H^{K, E[n]; S) in H. This is obtained through 
the computation of Sym|-(_R)(S', n) and then passing to the relevant subquotient. 
(For this, we need to find R{S, n) and compute its image under d.) Then we need 
to have explicit representations of the maps reSt; and 5^, for all v & S. For the 
restriction maps, we just observe that the result of Cor. l2.2l works over any field K 
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and is functorial. Applying this observation to the field extension K C K^^ we get 

_ ker(a I (Sym^(i?) ®k K^Y) 

this is induced by the canonical map Sym^(i?) — > Sym^(i?) K^. Note also 
that if„ is a finite group. To get a nice representation of 5^ (or 5), we remind 
ourselves of the usual definition of the Weil pairing. 

Let T e E[n\ be an n-torsion point. Then there is a rational function Gt £ 
K{T){EY such that 

div(GT)=n*(T)-n*(0)= P- Q- 

P:nP=T Q:nQ=0 

This divisor is stable under translations by elements of E[n]^ therefore we have 
that Gt{P + S) = c{S)Gt{P) for some constant c{S) independent of P, when 
S e E[n]. This constant is en{S,T). We can choose these functions Gt in such 
a way that G : T ^ Gt is Galois-equi variant. Then we can interpret G as an 
element of R{E)^ (where R{E) = K[E) ®k R] its elements are G^^-equivariant 
maps from E[n] into K{E)), and we have G{P + T) = e{T)G{P) for P e E\E[n?] 
and T e E[n\. Now consider the following diagram. 

— y E[n] y E y E y 

I I 

I G I r 



yE[n\^^R^^^\iei{d \ Sym|(i?)^) ^0 

The map r is defined as shown: to find r(P), take some Q & E such that nQ = P, 
then r{P) = dG{Q). This is well defined, since another choice Q' in place of Q 
will differ from Q by addition of an n-torsion point T, so 

dG{Q') = dG{Q + T) = d{e{T)G{Q)) = dG{Q) , 

since de{T) = 1. This also shows that r is defined over K, so r E Symj^{R){E)^ . 
To find out what function vt^^t^ ^ K{E)^ is, let us determine its divisor. By 
definition, 

, GtAQ)Gt,{Q) 

so 

n*(div(rTi,T.)) = n*{T^) + rfiT^) - n*{T, + T^) - n*{0) . 

So rTi,T2 has simple zeros at Ti and T2 and simple poles at Ti + T2 and O: it is the 
function witnessing that Ti + T2 is the sum of Ti and T2. So, up to normalizing 
constants, with respect to a WeierstraB model of E, rTi,T2 is the equation of the 
line joining Ti and T2 divided by the equation of the (vertical) line joining Ti +T2 
and O. For suitable normalisation of the Gt, we can take quite concretely the 
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following. Here, the line joining two points Ti and T2, such that Ti, T2, T1 + T2 7^ O 
(the tangent hne at T of E, when Ti — T2 — T) is supposed to have equation 

V = >^T^,T2X + mT^^T2 ■ 

Take 

1 if Ti = O or Ts = O; 

x-x{Ti) ifTi + Ts^O, Ti^O; 



iiT,,T2,T, + T2y^O. 



x{T, + T2) 

Now, chasing through the definitions of the connecting homomorphisms 

E{K) ^ H\K, E[n]) and H ^ H\K, E[n]) , 
we easily find the following. 

Proposition 2.3. The composition E{K) — > H^{K,E[n]) — > H is induced by 
r:E{K)\E[n]^Symj,{R)\ 

The "missing" values on E{K)[n] can be obtained by a suitable rescaling and 
hmiting process. This result is again valid for all fields K and functorial in K, so 
we can use it to compute the local maps Sy : E{Ky)/nE{Ky) ^ Hy. Since we can 
easily compute the size of the group on the left hand side — say, n = p is a prime, 
then 

if is finite and v \p] 

dimp^ E{Ky)/pE{K^) = dimp^ E{Ky) \p] + {[Ky : Q^] if ^; | p; 

- [Ky : M] if V is infinite — 

we can just pick random points in E{Ky) until their images in Hy generate a 
subspace of the correct size. Having found all the "local images" 

Jy = 5y{E{Ky)/pE{Ky)) CHy, iOVVE S, 

the determination of the Selmer group as a subgroup of Hs is reduced to linear 
algebra over Fp. Mutatis mutandis, this will also work for arbitrary n. 

Let us summarize the discussion. 

Theorem 2.4. There is an effective procedure for computing the n-Selmer group 
of an elliptic curve over a number field K . It requires class group and unit group 
computations in extensions of K of the form i^r({Ti, T2}), where {Ti,T2} is an 
unordered pair of n-torsion points of E. 



DESCENT ON ELLIPTIC CURVES 



21 



As mentioned above, as it stands, this result is rather theoretical, since the number 
fields that occur are too large for practical computations. However, we can improve 
the situation. Restricting to n-torsion subgroups in the basic exact sequence 

^ E[n] ^ i?^ ker(9 | (Sym|(i?))^) , 

i/i(i^,/i„(i?))-i?7(i?xr. 

The isomorphism comes in the usual way from the fact that H^{K, R^) = 0. 
Now we have the following nice fact (see [DSSj IScStj ). 

Proposition 2.5. If n = p is a prime, then (9/ip(i?)) ^ = dfj,p{R). 

For the proof, one basically checks all possibilities for the image of Gk in Aut (i?[p]) = 
GL2(Fp), the most interesting case being when the image is a p-Sylow subgroup. 
Remark: The result is not true in general for composite n. For example, taking 
n = 4, there are 20 conjugacy classes (out of 62) of subgroups of GL2(Z/4Z) such 
that the kernel above has order 2 or even 4. To give a very concrete example, 
consider the elliptic curve y"^ = + a; + 2/13 over Q; then the index of d^i{R) 
in the GQ-invariants of dfi^^R) is 2. (Here the subgroup is the one problematic 
one of index 2. It occurs generically when the discriminant of the cubic is minus 
a square.) 

In any case, we have a homomorphism 

H ^ H\K, E[n]) i?V(i?^)" . 

By the definition of the Kummer map R^/{R^)^ — > H^{K, fin{R)), it is obained 
as follows. Take p G Sym|^(i?)^ representing an element of H, so dp = 1. Then 
there is 7 G R^ such that d'j = p. Now 7*^/7 G keid C fin{R) for all a G Gk, 
hence 7"" G R^ . If we change p into p ■ da with a G R^ , then 7" changes into 
7"a", and we get a well-defined map H — > R^ /{R^)"^. A somewhat more explicit 
description is to say that the map is induced by 

Sym^(i?)x 3p^{T^ l[p{T,jT)) G . 

i=o 

So when n = p is a prime number, then we can use the image of H in R^ /{R^Y 
instead of H itself. The advantage of this is obvious: the field extensions of K 
occurring in R are usually much smaller than the ones in Sym|;(i?). Generically, 



E[n] ^ pniR) — 

This gives us 
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R = K X Ri, with Ri a field extension of K of degree — 1. For K = Q and 
p = 3, this leads to octic number fields, where computations are feasible. 

To make this approach work, we need to know the image H of H in R^ /[R^y, 

and we need to realize the map E[p] H^(K, E[p]) — > H. 

The first question is answered by looking at the map H —>■ H: given a G R^ , if 
a{R^y G H, then a = 'j'p such that d'y G Sym^(_R). This means that 

~ _ {a e R>< : da e {Sym%{Rrr} 

(i?x)P 

and we can compute Hs, the image of Hs, as a subgroup of R{S,p). (There is 
another description of H that for p > 3 uses smaller fields, and it only requires 
checking for pth powers in fields of degree at most p^ — 1; compare |ScStj .) 

Note also that given a G R^ representing an element of H, we find p representing 
the corresponding element of as p = -^^^a. By the characterization of H, the 
root exists, and since H = H, it does not matter which root we take if there is a 
choice (as long as it is symmetric and a cocycle); they will all represent the same 
element of H. 

For the realization of 6, consider the following diagram. 

> E[p] > E E > 

I I 

e \G \F 

:^ p :^ 
> fip{R) > i?x > i?x > 

Here, F G R{Ey is the function such that Ft{pQ) = GriQ^ for T G E[p]. We 
find that the divisor of is p ■ T - p ■ O, and if F{pQ) = G{QY with G G R{EY , 
then F induces a well-defined map F : E{K) \ E\p] — > R^/{R^y, independent 
of the particular choice of F. Tracing through the definitions shows: 

Proposition 2.6. The composition E{K) ^ H\K,E[p]) — > R''/{R''Y is 
given by F on E{K) \E[p]. 

Again, this is functorial in K, and so we can use it for the local maps 6^. The algo- 
rithm for computing Sel*-''-' {K, E) then works as before, but now working within R 
instead of Sym|^(_R). 

Theorem 2.7. There is an algorithm that computes Sel*-^^(i^, E), which is efficient 
modulo computation of class and unit groups in the number fields K{T), where T 
runs through points of order p on E. 
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3. Constructing geometric representations 
OF Selmer group elements 

Our goal in the following will be to find explicitly the n-coverings corresponding 
to given elements of the n-Selmer group. We assume that we have reahzed the 
Selmer group as a subgroup of 

ker{d\Syml{Rr) 
dR^ ■ 

In practice, n = p, and we will have computed the p-Sclmer group as a subgroup 
oi H C R^/{R^y, but we can easily transfer this to H, by the map a i— > -^^da on 
representatives. 

We first need to explain the connection between our third and fourth interpreta- 
tions of elements of H^{K, E[n]) in some detail. By the general theory of central 
group extensions, theta groups are classified by the Gi^-equivariant symmetric 2- 
cocycles in Z'^{E[n\, K^), modulo the coboundaries of G^i-equivariant 1-cochains. 
The correspondence is as follows. First note that for every theta group 

— ^ G„ ^ e — ^ E[n\ — ^ , 

there is a iT-defined set-theoretic section E[n] — > 0. To see this, pick any 
section s : E[n] — > 0; then for any a G Gk, s'^ / s gives a map E[n] — ^ Gm, 
which (as a function of a) is a cocycle, hence can be interpreted as an element 
of Z\K,R''). Now H\K,R'') = 0, so there is some map t : E[n] — > G„, such 
that s"(T)t'^{T) = s(T)t{T); replacing s by st therefore yields a i^'-defined section. 

Given such a section s, we obtain a T^T-defined 2-cocycle : i?[n]^ — > Gm by 
setting 0(Ti,T2) = a~^(s(Ti)s(T2)s(Ti + T2)~^). Changing the section s amounts 
to a change of by the coboundary of a X-defined 1-cochain. The commutator 
condition translates into 4){Ti,T2) = e„(Ti, r2)0(T2, Ti). 

Now if we fix a /T-defincd section xe '■ E[n] — > C GL„, then wc obtain a 
2-cocycle e in the way described for a general theta group. Then the "difference" 
4>/e will be a symmetric 2-cocycle, since the commutator condition cancels. 

If n is odd, then there is a specific way of choosing a lift xe such that e becomes 
a power of the Weil pairing e^; in fact, s — such that 2k = 1 mod n. 

Given a symmetric 2-cocycle p, we get from Qe to 9p by "twisting" the multi- 
plication in ©E by p. Writing (T, A) for the element Xxe{T), the multiplication 
in is 

(Ti,Ai)(r2,A2) = (Ti + r2,AiA2£(ri,r2)), 

whereas the multiplication in Qp will be 



(Ti, Ai)(T2, A2) = (Ti + T2, A1A2 p{T,, T2)e{T^, T^)) . 
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Now, our definition of the maps d was exactly such that they correspond to the 
coboundary maps in the standard cochain complex 

Therefore, the elements of H represent exactly the 7^-defined symmetric 2-cocycles 
modulo the coboundaries of fC-dcfincd 1-cochains. Tracing through the definitions, 
we see that the theta group 9p corresponds to the same element of H^{K,E[n]) 
as the image of p in i?. 

Recall the obstruction map 

Ob : H\K,E[n]) — > H\K, FGLn) = H^{K,Hn) = Br {K)[n] . 

In our second interpretation, it was given by mapping C — > S to the element 
of H^{K, PGL„) corresponding to the twist S of P""^ From this it is obvious that 
Ob = xe,* is the map induced by xe '■ E[n\ — > PGL„ on cohomology. 
Now H^{K, PGL„) also classifies X-isomorphism classes of central simple algebras 
of dimension n"^ over K; these arc twists of the matrix algebra Mat„(JC). There- 
fore, one possible way of representing the obstruction explicitly is through the 
construction of the corresponding central simple algebra. Given a theta group 0, 
we obtain this in a very simple way: observe that the set Aq of all linear combi- 
nations of elements of (where we use the scalar multiplication coming from the 
theta group structure) is in a natural way a ^-algebra of dimension carrying 
an action of Gk (we simply extend the multiplication we have on linearly) . We 
let Aq denote the X-algebra of G^-invariant elements. For 0^, we obtain in this 
way the matrix algebra Mat„(X) with its usual Gx-action; this is because 0^ nat- 
urally sits inside GL„ and spans the matrix algebra. The ^-isomorphism between 
Qe and extends to a K-isomorphism between Mat„(-ftr) and Ae, showing that 
Aq is indeed a central simple A'-algcbra. It is then obvious that Aq corresponds 
to Ob(0). 

As an aside, note that there is a completely natural and coordinate-free X-defined 
isomorphism 

(Be) ^ End(L(n • O)) 

given by identifying 0^ with the set of pairs {T, fx) as before and using their 
action on L{n ■ O). 

How do we realize the central simple algebra Ob(,^) in terms of p G Sym|^(i?)^ 
representing G H^{K, E[n])'? Note that once we fix a section s : E[n] — > 0, the 
elements of Aq = (Q)^^ are identified with X-equi variant maps E[n] — > K and 
therefore can be viewed as elements of R. The map is 

Aq 3 ^z{T)s{T) ^{z:T^ z{T)) G R. 

T 
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Therefore, we can use R as the underlying i^T-vcctor space, and we only have to 
define a new multiplication. Let us do it first with Qe- Prom the definitions, we 
get that the multiplication on A — Aq^^ must be defined by 

Ti+T2=T 

In general, for Ap — Aq^, we define the multiplication as 

Zl *ep Z2^{T^ J2 ^(^1' T2)p{Ti, T2)zi{Ti)z2iT2)) . 
Ti+T2=T 

Proposition 3.1. Let p — with 7 e . Then in the realizations given above, 
a K -isomorphism between Ap and A is given by 

(f).y : Ap3 z I — ^ ^ z e A, 

where the multiplication is that of R(!). 

Proof: We compute 

07(^i*ep^2) = (r^7(r) Yl e{Ti,T2)p{Ti,T2)z,{Ti)z2{T2)) 

Ti+T2=T 

-(T^ e{T,,T2MT,)z,{TMT2)z2{T2)) 

Ti+T2=T 
= ^^{Zi) *e ^7(^2) • 

□ 

Remark: One can view A and Ap as twisted versions of the group algebra of E[n] . 
The group algebra (over K) is R, with convolution as multiplication: 

Z^*Z2^{T^ Y ^1(^1)^2(^2)). 
Ti+T2=T 

We can also consider the G^- invariant subalgebra (-R, *). Now it turns out that 
{R,*) is actually isomorphic to (R,-) (i.e., with point-wise multiplication). This 
isomorphism is given by "Pourier transform" in the following way. Define 

R3a\ — ' [oi : T ^ ^Y ^n{T, S)a{S)^ e R . 

s 

Then one can easily check that aP — a * /3 and that a = a/n^. Purthermore, • is 
defined over K, so it gives an isomorphism {R, ■) — ^ {R, *). 
We get A = {R, by twisting convolution in such a way that commutators on 
the image of E[n\ evaluate to the Weil pairing. 

Now suppose that p represents an element ^ in the n-Selmer group. Then we 
know that the obstruction vanishes, hence there is an isomorphism l : Ap 
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Ma.tn{K). Given such an isomorphism, we can write the cocycle representing 
Ob(^) e H^{K, PGLn) exphcitly as a coboundary. In the diagram below, we 
obtain an automorphism (over K) of Mat„, which must be conjugation by some 
matrix M e GL„(^). 

Ap Mat„ 

7 M 

Main 



We can find M (which is well-defined up to a multiplicative constant) from the 
automorphism by linear algebra. 

Proposition 3.2. We have that for all a e Gk, 

P(M-M-i) = xe{^.) . 
Here P(X) denotes the image of X & GL„ in PGL„. 

Proof: The map labeled M in the diagram above is X i-^ MXM^^. Applying 
a to the diagram, we see that on the one hand, by the bottom isomorphism, 

^- ^ ^^(r)^(r)x^(r) = ^^(r)e„(e.,T)x^(r) . 

0^ rp 0^ rp 

(Recall that in our fourth interpretation, e({o.) = ■j'^ /■j, where (?7 = p.) On the 
other hand, we need to have that 

z—> — >J2 z{T)M''M-^xe{T)MM-'' . 
7 J, 

Comparing these expressions shows that 

W'M-^XEiT) = en{C,,T)xE{T)M''M-' 

for all T G E[n]. If we write iW^M"^ = XxEiCa), then we find that X commutes 
with all Xe{T) and therefore with all of Mat„. Therefore X must be a scalar 
matrix, and 

F{M^M-')^F{xE{^,))^XE{Ca). 

□ 

From this, we can draw the following useful conclusion. 

Corollary 3.3. With the notations above, the second interpretation of an ele- 
ment £ e Sel(")(i^, E) can he realized in the form 

C > P"-i 

I I 

I I M 

\n-0\ 

E > P"-i 
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Note that for n > 3, the horizontal arrows are emheddings, and so the map on the 
left is given by restriction of the map on the right. 

Proof: We note that by the previous proposition, the cocycle associated to the 
diagram is exactly ^. □ 
In practical terms, this means that we make the linear change of variables cor- 
responding to (acting on the right) in the equations of C P"""''^ to obtain 
equations for C. 

However, recall that in order to find M, we need to actually have an isomorphism 
between Ap and Mat„(i^). To find such an isomorphism explicitly is a nontrivial 
problem, even though we already know that such an isomorphism exists. When 
n = 2, this turns out to be equivalent to finding a /^-rational point on a conic, 
knowing that it has points everywhere locally. The problem of "trivializing the 
algebra" that comes up here can be viewed as a generalization of this very classical 
problem. 

At least in theory, the problem can be reduced to solving a norm equation (over K 
or some extension of K). In practice, however, the data defining the algebra 
structure on Ap can be very large (they come in the end from elements of R{S, n) 
and often will involve units of the number fields occurring in R), making this 
approach impractical. On the other hand, at least when working over Q, we have 
a method that seems to work very well in practice (at least when n — 3, which is 
the only case where the first step, the computation of the Sclmer group as a group, 
can be carried out successfully), although we have so far not proved that it really 
always works. The idea is to first find a maximal order in Ap, which we know is 
isomorphic to Matn(Z). Then we apply a certain reduction procedure with the 
goal of reducing the structure constants in size until they are small enough to read 
off an isomorphism. 

Even though it is not immediately relevant to what we are doing in these lectures, 
I would like to mention the following. 

Proposition 3.4. 

(1) The obstruction map is even: Ob(— ^) = Ob(^). 

(2) The Weil pairing cup-product pairing 

Ue : H\K,E[n]) x H\K,E[n]) H\K,i^^) 
can be expressed in terms of the obstruction map: 

eUe^ = Ob(e + r;)-Ob(0-Ob(r;). 
In particular, Ob is a quadratic map: 

Ob(mO = Ob(0 , Ob(e + v) + Oh{^ - 77) = 2 Ob(0 + 2 Ob(?7) . 
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Proof: (1) Wc get the diagram corresponding to — ^ from the diagram corre- 
sponding to ^ by composing it with inversion on E: 



c- 

1 


>S 

1 


1 


1 


E- 


>-pn-l 



E' 



In particular, the Brauer-Severi variety for — ^ is the same (namely S) as the one 
for 

(2) This is a straight-forward, if somewhat tedious, verification using cocycles. □ 
Remark: There is another way of obtaining the model of C in P""^ (which is 
the one actually currently used in my 3-descent prorgam). It roughly works as 
follows. 

Instead of mapping E — ^ P'^"^, we can also map to the dual curve, i.e., we 
send P & E to the point in (P'^"^)^ corresponding to the osculating hyperplane 
at (f){P) (for n = 3, this is just the tangent hne, for n = 2, it is 0(P) e (P^)^ = P^ 
itself). We can combine (j) and this morphism 0^ : E — > (P"""-*^)^ into a single 
morphism and then follow it by the Segre embedding, where we can identify P"^-i 
with P(Mat„) and the embedding with multiplication of column vectors by row 
vectors. The image of Segre is therefore the set of rank-1 matrices. 



E 



pn- 



X 



= P(Mat„) 

The image of E in P(Mat„) will also be contained in the hyperplane of trace-zero 
matrices; this corresponds to the fact that 0(P) is on the hyperplane 0^(P). 
Now there is a commutative diagram 



E 



(0,0^) 



> p»-i X 



in-l\V 



Segre 



> P(Mat„) 



G 



Xe 



¥{R) 



where t G -R is a certain element satisfying t{0) = 0, t{T) ^ for all T ^ O. For 
example, when n — ?> and xe is chosen so as to make e = e|, then t{T) = l/y{T) 
(w.r.t. a WeierstraB model of E). 

Twisting by the cocycle represented by p = ^7, we obtain a model Ci of C in ¥{Ft) 
as • G{E). This can be computed explicitly in terms of p only: applying 5, we 
have 

zed <S=J> iz e G{E) pdz e r{E) , 

and the latter leads to quadratic equations in z, from which r{E) can be eliminated. 
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Then t ■ Ci will be contained in the rank-1, trace-0 locus of P(Ap) (identifying 
underlying vector spaces). If we have an isomorphism Ap — ^ Mat„(ii'), then we 
obtain C by projecting i{t ■ Ci) C P(Mat„) to any nonzero column. 



4. Minimization and Reduction 
I would like to come back to the diagram 

pi E C S P»-i 

I I ~ 

I ^ I ^ 

\n-0\ 



n 



E< E > 



Hn— 1 



Prom this diagram, one can read off that 7r*(0) ~ nD as divisors on C. Now there 
is a theory of heights on varieties. For a very ample divisor D, one defines 

/.^ : C ^ ^ R>o 

via the logarithmic height on P^. This is well-defined up to bounded functions. 
The main facts are that this induces a homomorphism 

r . {functions C R>o} 

{divisors on G j — > -r- — — . ~ -, 

{bounded functions} 

and that it is compatible with dominant morphisms C — ^ C in the sense that 

h^*D = hDo4> + 0(1) 

for divisors D on C. 

So if g e C{K) and P = 7r{Q) e E{K), we get that 

hoiQ) = -Vo(Q) +0(1) = -hoiP)+Oil) 

n n 

= ^h,o{P) + 0(1) = ^Kx{P)) + 0(1) . 

So up to something bounded, going from E to C divides logarithmic heights by 2n. 
Now, to really make use of this, one needs the "0(1)" to be fairly small. How 
large the error is depends mainly on the size of the coefficients in the equations 
describing C (and E) — the smaller they are, the better. So we would like to 
choose coordinates on P"~^ in such a way that C is described by small equations. 
There are two ways in which the equations can be large. The first is that the 
model is not minimal, i.e., it has unnecessary prime powers in its discriminant. So 
in a first step, one will try to remove these and obtain a minimal model. This step, 
called "minimization", has been worked out in theory and practice for n = 2, 3, 4 
and is being worked on for n = 5. 
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Then, assuming now that the model is minimal, wc still can make coordinate 
changes by SL„(Z). So we would like to find such a coordinate change that makes 
the coefficients of our equations small. This step, called "reducion", has been 
worked out (for this special case at least) in theory for all n, and is implemented 
for n = 2,3,4. 

There is an implementation in MAGMA that computes the 3-Selmer group 
(inside /{R^)^) of an elliptic curve E over Q. It then transfers the elements 
into H, finds the structure constants for the central simple algebras associated to 
them, computes an isomorphism with Mat3(Q), finds the equations for the model 
in and then projects the model into P^; finally this is minimized and reduced. 
This program works quite well in practice for curves if moderate size and produces 
a list of curves corresponding to (Sel*^'^^ (Q, E') \ {0})/{±l}. (Note that elements 
that are negatives of each other give rise to the same curve, which has two different 
structures as a principal homogeneous space for E.) 
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